Listen to this Post
The vulnerability exists within the `io.netty.handler.codec.http.HttpRequestEncoder` class. When encoding an HTTP request, this component writes the request URI directly into the output buffer using UTF-8 encoding without sanitizing for carriage return (\r) or line feed (\n) characters. The critical line of code is buf.writeByte(SP).writeCharSequence(uriCharSequence, CharsetUtil.UTF_8);. This allows an attacker to inject CRLF sequences into the uriCharSequence. These injected characters can terminate the current request line and inject malicious HTTP headers or even an entirely new, smuggled HTTP request directly into the stream. While Netty’s default header validation prevents such injection via headers, the URI path was not similarly protected. This discrepancy enables HTTP Request Smuggling attacks when a downstream server interprets the maliciously crafted single request as two distinct requests.
Platform: Netty
Version: < 4.1.59.Final
Vulnerability: Request Smuggling
Severity: Medium
Date: 2021-01-26
Prediction: 2021-01-26
What Undercode Say:
find . -name ".jar" -exec jar -tf {} \; | grep -i netty
if (uri.contains("\r") || uri.contains("\n")) { throw new IllegalArgumentException(); }
How Exploit:
Craft malicious URI.
Inject CRLF sequences.
Smuggle secondary request.
Protection from this CVE
Upgrade to 4.1.59.
Sanitize user-controlled URIs.
Use HTTP validators.
Impact:
Request Smuggling
Cache Poisoning
Security Bypass
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

